Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Millions of Apps Leak Private User Data Via Leaky Ad SDKs

SAN FRANCISCO – Millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers.

“The scale of what we first thought was just specific cases of careless application design is overwhelming,” said Roman Unuchek, security researcher, Kaspersky Lab, who introduced his research here at the RSA Conference on Tuesday. “Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.”

Data sent unencrypted over HTTP can be collected by cybercriminals that share the same Wi-Fi network, or by an ISP or even by malware installed on a target’s home router, researchers said.

Not only can unprotected data be collected, but it can also be intercepted by a cybercriminal who can modify it to show malicious ads, enticing users to download a trojan application, which turn out to be malware, according to Unuchek.

Kaspersky said the origin of the problem can be traced back to the use of predefined and reused SDKs tied to popular advertising networks and used by app developers to save time. An analysis of these predefined SDKs by Kaspersky show many are flawed because they send unprotected user-profile data between the app and the advertisers’ servers. Compounding the problem, the SDK code has been used in millions of apps by developers.

“We searched for the two most popular HTTP requests – GET and POST. In GET requests user data is usually part of the URL parameters, while in POST requests user data is in the Content field of the request, not the URL. In our research, we looked for apps transmitting unencrypted user data using at least one of these requests, though many were exposing user data in both requests,” Unuchek wrote in a research report released Tuesday.

He said 4 million APKs examined exposed some data to the internet. “Some of them were doing it because their developers had made a mistake, but most of the popular apps were exposing user data because of third-party SDKs,” he said.

Researchers did not identify the advertisers or apps behind the SDKs, only stating several millions of apps using popular advertising networks’ SDKs are impacted.

In one example of data leakage, researchers intercepted an unencrypted JSON file being sent from an advertiser’s server. “In this JSON file we found lots of user data, including device information, date of birth, user name and GPS coordinates,” Unuchek wrote.

More alarming yet, researchers said some malicious app developers also transmit data insecurely. “In the case of malware it is even worse because it can steal more sensitive data like SMSs, call history, contacts, etc. Malicious apps not only steal user data but expose it to the internet making it available for others to exploit and sell,” Unuchek wrote.

He advises users to scrutinize app permissions when installing apps. The more permissions requested, the great potential of data sent insecurely to advertisers. He also recommends using VPN.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.